You have Javascript disabled. While you will generally be able to browse this site without Javascript, many functions and some links on this site will not work without it. We strongly recommend enabling Javascript in your browser. By continuing to use this site you consent to this site and our partners useing cookies for improving user experience, remembering prior visitors, providing special offers, and marketing to our visitors. See Privacy Policy for details and how to disable cookies.

Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

By using this site you consent to us using cookies for improving user experience, identifying returning visitors, providing special offers, and marketing to our visitors. See Privacy Policy for details and how to disable cookies.

Managing CA Certificates with the Configuration File (Unix)

When configuring the client, it must be set up to trust the CA certificate and to access the certificate revocation list (CRL).

To configure the client to trust the server's certificate, perform the following tasks:

Copy the CA certificate(s) to the client machine. You can either copy the X.509 certificate(s) as such, or you can copy a PKCS #7 package including the CA certificate(s).

Certificates can be extracted from a PKCS #7 package by specifying the -7 flag with ssh-keygen-g3.

Define the CA certificate(s) to be used in host authentication in the ssh-broker-config.xml file under the general element:

You can disable the use of CRLs by setting the disable-crls attribute of the ca-certificate element to "yes".

Note

CRL usage should only be disabled for testing purposes. Otherwise it is highly recommended to always use CRLs.

Also define the LDAP server(s) or OCSP responder(s) used for CRL checks. Defining the LDAP server is not necessary if the CA certificate contains a CRL distribution point extension.

If the CA services (OCSP, CRL) are located behind a firewall, define also the SOCKS server in the ssh-broker-config.xml file. The SOCKS server is defined inside cert-validation with the socks-server-url element.